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(57) Abstract 

A key agreement method between a pair of entities i and j in a digital data communication system, wherein each entity has a 
private and corresponding public key pair Si,Pj and Sj,Pj respectively and the system, having global parameters for generating elements 
of a group, the method comprising the steps of: (a) entity i selecting a random private session value Rr, (b) forwarding a public session 
value corresponding to the private session value Rj to the entity j; (c) entity j computing a long term shared secret key k' derived from 
entity i's public key and /s private key utilizing a first function Hi; (d) the entity j utilizing entity j utilizing the key k' and computing 
an authenticated message on entity identities /, j and entities public session keys and forwarding the authenticated message to entity *; (e) 
the entity / verifying the received authenticated message; (f) the entity / computing the long term shared secret key k' derived from the 
entity fs public key and i's private key in accordance with the first function Hi; (g) the entity / utilizing the long term shared secret key 
k' and computing an authenticated message on the entities / and j identity information and the entities public session keys and forwarding 
the authenticated message to the entity j; (h) entity j verifying the received authenticated message; and (i) upon both the entities / and j 
verifying the authenticated message, computing a short term shared secret key utilizing a respective entity's session public and private keys. 
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AUTHENTICATED KEY AGREEMENT PROTOCOL 

This invention relates to cryptographic systems and in particular, to authenticated key 
agreement protocols used in the cryptographic systems. 

A key agreement problem exists when two entities wish to agree on keying 
5 information in secret over a distributed network. Solutions to the key agreement problem 
whose security is based on a Diffie-Hellman problem in finite groups have been used 
extensively. 

Suppose however, that entity i wishes to agree on secret keying information with 
entity j. Each party desires an assurance that no party, other than i and j, can possibly 

10 compute the keying information agreed upon. This may be termed the authenticated key 

agreement (AK) problem. Clearly, this problem is harder than the key agreement problem in 
which i does not care which entity it is agreeing on a key with, for in this problem i stipulates 
that the key may be shared with j and no other entity. 

Several techniques related to the Diffie-Hellman problem have been proposed to solve 

15 the AK problem. However, no practical solutions have been provably demonstrated to 

achieve this goal and this deficiency has led, in many cases, to the use of flawed protocols. 

Since in the AK problem, / merely desires that only j can possibly compute the key 
and not that j has actually computed the key, solutions are often said to provide implicit (key) 
authentication. If i wants to make sure, in addition, that j really has computed the agreed key, 

20 then key confirmation is incorporated into the key agreement protocol leading to so-called 
explicit authentication. The resulting goal is called authenticated key agreement with key 
confirmation (AKC). It may be seen that key confirmation essentially adds the assurance that 
i really is communicating with j. Thus, the goal of key confirmation is similar to the goal of 
entity authentication as defined in Diffie-Hellman. More precisely however, the 

25 incorporation of entity authentication into the AKA protocol provides i the additional 
assurance that j can compute the key, rather than the stronger assurance that j has actually 
computed the key. 

A number of distinct types of attacks have been proposed against previous schemes. 
There are two major attacks which a protocol should withstand. The first is a passive attack, 
30 where an adversary attempts to prevent a protocol from achieving its goal by merely 

observing honest entities carrying out the protocol. The second is an active attack where an 
adversary additionally subverts the communication themselves in any way possible by 
injecting messages, intercepting messages, replaying messages, altering messages and the 
like. 

1 
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It is thus essential for any secure protocol to withstand both passive and active attacks 
since an adversary can reasonably be assumed to have these capabilities in a distributed 
network. 

It is therefore desirable to provide a key agreement protocol that mitigates at least 
5 some of the above advantages. 

SUMMARY OF THE INVENTION 

A key agreement method between a pair of entities i and j in a digital data 
communication system, wherein each said entity has a private and corresponding public key 
10 pairs S„ and Sj,Pj respectively and the system, having global parameters for generating 
elements of a group, said method comprising the steps of: 

(a) entity i selecting a random private session value Rj; 

(b) forwarding a public session value corresponding to said private session value 
Ri to said entity j\ 

15 (c) entity j computing a long term shared secret key k x derived from entity f s 

public key and fs private key utilizing a first function Hi; 
(d) said entity j utilizing entity j utilizing said key k } and computing an 

authenticated message on entity identities ij and entities public session keys 
and forwarding said authenticated message to entity z; 

20 (e) said entity i verifying said received authenticated message; 

(f) said entity i computing said long term shared secret key k y derived from said 
entity fs public key and i s private key in accordance with said first function 
H,; 

(g) said entity i utilizing said long term shared secret key k 1 and computing an 
25 authenticated message on said entities i and j identity information and said 

entities public session keys and forwarding said authenticated message to said 
entity 7; 

(h) entity j verifying said received authenticated message; and 

(i) upon both said entities i and j verifying said authenticated message, computing 
30 a short term shared secret key utilizing a respective entity's session public and 

private keys. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

These and other features of the preferred embodiments of the invention will become 
more apparent in the following detailed description in which reference is made to the 
appended drawings wherein: 
5 Figure 1 is a schematic diagram of a digital data communication system; 

Figure 2, 3, 4 and 5, are embodiments of a key agreement protocol according to the 
present invention. 

DESCRIPTION OF THE PREFERRED EMBODIMENTS 
10 In the following discussion, the notation as outlined below is utilized and described 

more fully in the Diffie-Hellman paper entitled "New Directions in Cryptography", IEEE 

Transactions on Information Theory, November 1976, and incorporated herein by reference. 
Referring to figure 1, a data communication system 10 includes a pair of entities or 

correspondents, designated as a sender i and a recipient j who are connected by a 
15 communication channel 16. Each of the correspondents, / and j includes an encryption unit 

that may process digital information and prepare it for transmission through channel 1 6 as 

will be described below. Furthermore, the encryption units may be either a dedicated 

processor or a general purpose processor including software for programming the general 

purpose computer to perform specific cryptographic functions. 
20 In the following discussion, kjj is z's key pair fa together with fs public value, tran is a 

transcript of the ordered set of messages transmitted and received by / and j is the agreed key. 
The protocols are described in terms of arithmetic operations in a subgroup generated 

by an element CX of prime order q in the multiplicative group 

Z* = {1,2,..., p — l} where p is a prime. In each case, an entity's private value is an element 
25 SpfZ* = {1,2,. - 1} , and the corresponding public value is P. = a 5 ' MOD 2 , so that f s key 

pair is K l , = {S. 9 P.). It is to be noted that the protocols can be described equally well in 

terms of the arithmetic operations in any finite group and, of course, this would require the 
conversion of the security assumptions on the Diffie-Hellman problem to that group. 
Furthermore, any particular run of a protocol is called a session. For example, the keying 
30 information agreed in the course of a protocol run is referred to as a session key. The 
individual messages that form a protocol run are called flows. 

The protocols as described below employ various primitives. Of these primitives, the 
two primitives used are message authentication codes (MAC) and Diffie-Hellman schemes 
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(DHS). Of course, some applications may wish to use another primitive to achieve 
confirmation. For example, if the agreed session key is later to be used for encryption, it 
seems sensible to employ an encryption scheme to achieve key confirmation rather than 
waste time implementing a MAC. 

5 Referring now to figure 2, a graphical representation of a first embodiment of an AKC 

protocol (Protocol 1) according to the present invention is shown generally by the numeral 
22. We use e R to denote an element chosen independently at random, and commas to denote 
a unique encoding through concatenation (or any other unique encoding). Let Hj and H , 
represent independent random oracles and {p,q,ot) are global parameters. The random oracles 

10 may be defined in terms of coin tosses in the following way. It is assumed that all parties are 
provided with a black-box random function HQ : {0,1} A -> {0,1* } * When H is queried for the 
first time, say on string x, it returns the string of length k corresponding to its first k coin 
tosses as H(x). When queried with a second string say a* 1 , first H compares x and a*' . If 
a'= n , H again returns its first k coin tosses H(n). Otherwise H returns its second k tosses as 

15 H(x'). In instantiations, H is generally modeled by a hash function H. When entity i wishes 
to initiate a run of P with the entity j, i selects an element at random R. e R Z* and sends 

a*' to j. On receipt of this string, 7 checks that 2 < a R> < p - 1 and (a*' ) q = 1 , theny chooses 

Rj e R Z] , and computes a Rj and £'= H x [a ss> ). Finally, j uses k* to compute 

MAC k . (2, z, j,a RJ . a Ri ), and sends this authenticated message to /. (Recall that MAC k ,(m) 

20 represents the pair (m,a) 9 not just the tag a). On receipt of this string, i checks that the form 
of this message is correct, and that 2 < a Rj < p - 1 and (a* J J = 1 . The entity / then computes 
£'= H } (a Si5j ) , recall that a Sj is / s long term public key, and verifies the authenticated 
message it received. If so, i accepts, and sends back to j MAC k . (3, z, j, a Rl , a Rj ). Upon 
receipt of this string, j checks the form of the message, verifies the authenticated message, 

25 and accepts. Both parties compute the agreed session key as k = H 2 [a RjRj ) . If at any stage, 
a check or verification performed by 1 or j fails, then that party terminates the protocol run, 
and rejects. 

In practice, entity i may wish to append its identity to the first flow of Protocol 1 . We 
omit this identity because certain applications may desire to identify the entities involved at 
30 the packet level rather than the message level - in this instance, identifying i again is therefore 
superfluous. 



WO 99/57844 



PCT/CA99/00356 



Note that entities use two distinct keys in Protocol 1 - one key for confirmation and a 
different key as the session key for subsequent use. In particular, the common practice of 
using the same key for both confirmation and as the session key may be disadvantageous if 
this means the same key is used by more than one primitive. 
5 Protocol 1 is different from most proposed AKC protocols in the manner that entities 

employ their long-term secret values and session-specific secret values. Most proposed 
protocols use both long-term secrets and short-term secrets in the formation of all keys. In 
Protocol 1, long-term secrets and short-term secrets are used in quite independent ways. 
Long-term secrets are used only to form a session-independent confirmation key and short- 

1 0 term secrets only to form the agreed session key. Conceptually, this approach has both 

advantages and disadvantages over more traditional techniques. On the plus side, the use of 
long-term keys and short-term keys is distinct, serving to clarify the effects of a key 
compromise - compromise of a long-term secret is fatal to the security of future sessions, and 
must be remedied immediately, whereas compromise of a short-term secret effects only that 

1 5 particular session. On the negative side, both entities must maintain a long-term shared secret 
key k' in Protocol 1 . 
Protocol 2. 

Protocol 2 is an AKC protocol designed to deal with some of the disadvantages of 
Protocol 1 . It is represented graphically in figure 3. The actions performed by entities i and j 

20 are similar to those of Protocol 1, except that the entities use both their short-term and long- 
term values in the computation of both the keys they employ. Specifically, the entities use 

H 2 [a R,R - , a s,Sj ) as their MAC key for this session, and k = H 2 [a R,Rj , a s * Sj ) as the 
agreed session key. Unlike Protocol 1, both long-term secrets and both short-term secrets are 
used in Protocol 2 to form each key. While this makes the effect of a compromise of one of 

25 these values less clear, it also means that there is no long-term shared key used to MAC 
messages in every session between i and j. However, the two entities do still share a long- 
term secret value a ss . This value must therefore be carefully guarded against compromise, 
along with Si and 5} themselves. Conceptually, it is possible to separate the AK phase and the 
key confirmation phase in Protocol 2. 

30 Protocol 3. An embodiment of a secure AK protocol is illustrated in figure 4 which 

shows a graphical representation of the actions taken by / and j in a run of Protocol 3. To see 
that Protocol 3 is not a secure AK protocol if an adversary can reveal unconfirmed session 
keys, notice the following attack. E begins two runs of the protocol, one with fl ■ y , and one 
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with n" . . Suppose Yl] j sends a R> , and H u .j sends a R> . is now forwards a R ' to n" y . , and 
a R '' to nf • . E can now discover the session key k = H 2 [a R,Rj , a s,s> ) held by Yl) j by 
revealing the (same) key held by n" y . 

In this protocol, care must be taken when separating authenticated key agreement 
5 from key confirmation. Protocol 3 above is not a secure AK protocol in the full model of 
distributed computing, but can nonetheless be turned into a secure AKC protocol, as in 
Protocol 2. At issue here is whether it is realistic to expect that an adversary can learn keys 
that have not been confirmed. 

Therefore, in this description we have tried to separate the goals of AK and AKC. A 
10 reason we have endeavored to separate authenticated key agreement from key confirmation is 
to allow flexibility in how a particular implementation chooses to achieve key confirmation. 
For example, architectural considerations may require key agreement and key confirmation to 
be separated - some systems may provide key confirmation during a 'real-time' telephone 
conversation subsequent to agreeing a session key over a computer network, while others 
1 5 may instead prefer to carry out confirmation implicitly by using the key to encrypt later 
communications. 

The reason that we have specified the use of a subgroup of prime order by the DHSs 
is to avoid various known session key attacks on AK protocols that exploit the fact that a key 
may be forced to lie in a small subgroup of Z* . From the point of view of the security 

20 proofs, we could equally well have made assumptions about DHSs defined in Z" rather than 

a subgroup of Z* p . 

It may be noted in particular that, as is the case with Protocol 3, many previous AK 
protocols do not contain asymmetry in the formation of the agreed key to distinguish which 
entity involved is the protocol's initiator, and which is the protocol's responder 
25 Protocol 4. Again, in this protocol instead of describing the actions of i and j verbally, 

we illustrate these actions in figure 5 . While at first glance, Protocol 4 may look almost 

identical to the well-known MTI protocol, where the shared value computed is a s ' Rj+SjRi , 
notice the following important distinction. Entity i calculates a different key in Protocol 4 
depending on whether / believes it is the initiator or responder. In the first case, / computes 

30 k = H 2 [a SiRj , a SjR> ), and in the second case k = H 2 [a SjRj , a s ' Rj ) . As we noted above, such 
asymmetry is desirable in a secure AK protocol. Of course, such asymmetry is not always 
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desirable — a particular environment may require that i calculate the same key no matter 
whether i is the initiator or responder. 

If indeed it can be shown that Protocol 4 is a secure AK protocol, then it can be turned 
into a secure AKC protocol in the same spirit as Protocol 2. 

One issue is how to instantiate the random oracles Hi and H2. A hash function such 
as SHA-1 should provide sufficient security for most applications. It can be used in various 
ways to provide instantiations of independent random oracles. For example, an 
implementation of Protocol 1 may choose to use: 

U,{x)~ SHA -\{0\,x) and H 2 (x) := SHA - 1(1 0,x) . 
A particularly efficient instantiation of the random oracles used in Protocol 2 is possible 
using SHA-1 or RIPEMD-160. Suppose 80-bit session keys and MAC keys are required. 
Then the first 80 bits of SHA - \{a R * Rj , a $iSj ) can be used as k } and the second 80 bits used 
as k. Of course, such efficient implementations may not offer the highest conceivable 
security assurance of any instantiation. 

It is easy to make bandwidth savings in implementations of the AKC protocols. 
Instead of sending the full authenticated messages (m,a) in flows 2 or 3, in both cases the 
entity can omit much of m, leaving the remainder of the message to be inferred by its 
recipient. 

In some applications, it may not be desirable to carry out a protocol run each time a 
new session key is desired. Considering specifically Protocol 2 by way of example, entities 
may wish to compute the agreed key as: 

H 2 (a RiRj , a s,S) , counter) . 

Then, instead of running the whole protocol each time a new key is desired, most of 
the time the counter is simply incremented. Entities need then only to resort to using the 
protocol itself every now and then to gain some extra confidence in the 'freshness' of the 
session keys they're using. 

In Protocols 1, 2, and 3, performance and security reasons may make it desirable to 
use a larger (and presumably more secure) group for the static. Diffie-Hellman number 
{a*' Sj ) than for the ephemeral Diffie-Hellman number (a 2 R ' Rj ) calculation. The larger 
group is desirable because the static number will be used more often. The static numbers 
may be cached to provide a speed up in session key calculation. 

Finally, note that a practical instantiation of G (assume G generates key pairs for each 
entity) using certificates should check knowledge of the secret value before issuing a 
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certificate on the corresponding public value. We believe that this is a sensible precaution in 
any implementation of a Certification Hierarchy. 

While the invention has been described in connection with the specific embodiment 
thereof, and in a specific use, various modifications thereof will occur to those skilled in the 
art without departing from the spirit of the invention as set forth in the appended claims. For 
example, each entity will usually generate key pairs itself and then get them certified by a 
certification authority. 

The terms and expressions which have been employed in this specification are used as 
terms of description and not of limitations, there is no intention in the use of such terms and 
expressions to exclude any equivalence of the features shown and described or portions 
thereof, but it is recognized that various modifications are possible within the scope of the 
claims to the invention. 
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THE EMBODIMENTS OF THE INVENTION IN WHICH AN EXCLUSIVE 
PROPERTY OR PRIVILEGE IS CLAIMED ARE DEFINED AS FOLLOWS: 

1 . A key agreement method between a pair of entities i and j in a digital data 
communication system, wherein each said entity has a private and corresponding public key 
pairs Si, Pi and Sj,Pj respectively and the system, having global parameters for generating 
elements of a group, said method comprising the steps of: 

(a) entity i selecting a random private session value Ri; 

(b) forwarding a public session value corresponding to said private session value R\ to 
said entity j; 

(c) entity j computing a long term shared secret key k' derived from entity fs public 
key and fs private key utilizing a first function Hi; 

(d) said entity j utilizing entity j utilizing said key k } and computing an authenticated 
message on entity identities i, j and entities public session keys and forwarding 
said authenticated message to entity i\ 

(e) said entity i verifying said received authenticated message; 

(f) said entity i computing said long term shared secret key k* derived from said 
entity fs public key and i 's private key in accordance with said first function Hi; 

(g) said entity i utilizing said long term shared secret key k % and computing an 
authenticated message on said entities i and j identity information and said entities 
public session keys and forwarding said authenticated message to said entity y; 

(h) entity j verifying said received authenticated message; and 

upon both said entities i and j verifying said authenticated message, computing a short term 
shared secret key utilizing a respective entity's session public and private keys. 
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